I wanted cyrus-imapd to use the Unix password files for
authentication. To give imapd access to /etc/shadow, I put user "cyrus"
into a group "shadow" that has read privileges for /etc/shadow. I
verified that user "cyrus" can read /etc/shadow by logging in as "cyrus"
and viewing the file. I modified the sasl_pwcheck_method line in
/etc/imapd.conf to:
sasl_pwcheck_method: shadow
This should have done the trick, as these are the popular work-arounds
that are commonly cited. But Cyrus refused to authenticate. It *will*
use the shadow passwords if I set /etc/shadow to be world readable, but
that is obviously not acceptable. I finally set /usr/cyrus/bin/imapd to
belong to group "shadow" with g+s mode, and this arrangement does
work. But Cyrus-IMAP really should work out of the box without this
undocumented (and probably unrecommended) fiddling with imapd's mode
bits and ownership.